← Back to blog

10 April 2026

How to share event photos without biometric data

A practical guide for event organisers who want to distribute photos to attendees without storing faces, fingerprints, or other biometric data.

biometric dataGDPRevent photographyprivacy

Most event photo platforms collect biometric data. They scan faces, build templates, store them, compare them against future photos. Under GDPR that's special category data and it puts you in a different legal regime.

If you'd rather not go down that road, here's how to share photos with attendees without touching biometrics at all.

What counts as biometric data

Before we get into the how to, it helps to know what you're avoiding. Under Article 4 of GDPR, biometric data is personal data from technical processing that identifies a person through physical, physiological, or behavioural traits. Face templates are the most common example. Fingerprints, iris scans, and voice prints are others.

A regular photo of someone is personal data, but not automatically biometric data. It becomes biometric the moment you run it through a system that extracts identifying features from it. That distinction is important and it's where most organisers get confused.

The rules change when biometrics are involved

Standard event photography usually falls under legitimate interest. You tell people photography will happen, you mention it in your event terms, you give them an opt out, and you're covered. That's Article 6.

Face recognition moves you to Article 9. At that point you need:

  • Explicit consent from each person whose face will be processed
  • A documented purpose for the processing
  • A retention policy with automatic deletion
  • The ability to handle data subject requests, including deletion
  • In some cases, a Data Protection Impact Assessment

This is not impossible, just expensive and slow. Most organisers don't have the legal or operational muscle to do it properly. Skipping biometrics is the pragmatic choice.

Your options

You need some way to match each photo to the right person. Without biometrics, that means the identifier has to be something physical or manual.

Our preferred approach is badge markers. Attendees wear a badge with a small visual marker, photos get scanned automatically for those markers, matching happens without any personal data analysis. The marker is just a shape, not a biometric signature.

QR codes on badges work similarly but are more visually intrusive and harder to read reliably from photos taken at a distance.

Manual tagging works for small events. A staff member goes through each photo and writes names. Slow but private.

Event app logins are another option. Attendees mark themselves in photos via your event app. Fine for small events where people are engaged enough to do the work themselves.

None of these involve face templates, fingerprints, or anything else in the special category bucket. You stay firmly on legitimate interest ground.

The practical setup

Assuming you go with a marker based system like Pictag.IO, the flow looks like this.

Before the event, you create an event in the platform and generate one marker per attendee. You print these alongside your normal badges. Each marker is linked to an attendee record in your system.

During the event, nothing changes for the photographer. They shoot like they normally would. No special cameras, no special instructions, no QR scanning workflow.

After the event, the photographer uploads everything in one go. The platform scans every photo, finds markers, and matches them to attendees. No faces get analysed, no templates get built, no biometric data gets stored.

Attendees visit your event page and enter their badge code. They see the photos they appear in. They can download them or, if you've set up a survey, answer a few questions first.

Privacy notice wording

You still need a privacy notice for event photography, even without biometrics. Something like this covers the basics:

Photography will take place at this event. Photos may be used for marketing and will be shared with attendees via our event platform. We do not use facial recognition or any other biometric processing. Photos will be deleted after 30 days. To request deletion of a specific photo you appear in, contact us at email.

Adjust the retention period to match whatever your platform actually does.

What you give up

Being biometric free does mean you lose a few capabilities. You can't automatically find photos of someone who lost their badge. You can't match photos of an attendee's face at a future event. You can't do advanced analytics like sentiment detection or demographic breakdowns.

For most conferences, none of that matters. The goal is "help people find their photos." Markers do that without opening the GDPR door.

Try Pictag.IO for your next event.

Ready to try Pictag?

Set up event photo matching in minutes. No facial recognition.

Get Started Free